Cross-site Scripting (XSS) - Stored in bytefury/crater


Reported on

Apr 25th 2021

✍️ Description

Stored xss using customer billing address

🕵️‍♂️ Proof of Concept

  1. First goto demo app and create a customer . During creation put bellow xss payload in billing address field and save it . Now see xss is executed

payload --> xss"'><img src=x onerror=alert(document.domain)> #VIDEO Poc -->

💥 Impact


Mohit Panjwani confirmed that a fix has been merged on 3a1f5a 3 months ago
The fix bounty has been dropped
to join this conversation